Privacy Wake Up Call
Commentary by J. Bradley Jansen
July 23, 2002
Last month, North Dakota sent a clear message to the financial community that privacy matters. While some state legislators have passed opt-in privacy rules on the selling and sharing of personal financial information, this was the first clear popular referendum.
There are several important lessons to be learned from the people of North Dakota.
First of all, many financial institutions and Beltway regulators underestimate the importance that people hold regarding their personally-identifiable financial information. Despite being outspent at least six to one, proponents of the “opt-in” requirement persuaded nearly three quarters of the voters to agree with them. Money for fancy ads did not override privacy concerns.
Secondly, the effort made to defeat the proposal shows what financial institutions consider the “opt-in” approach is unworkable as a business plan. Some bankers argue they do not sell information because it would be stupid since customers would leave them. Others maintained that the proposal would interfere with firms that do business globally and nationally and therefore make the state an unattractive place to do business. The patchwork of different state policies complicates business’ ability to appeal to customers. The choice is not only unworkable but unnecessary.
Unfortunately, the traditional consumer financial privacy protections that existed under common law and in a climate of business competition to respect privacy is gone. Since the implementation of the Bank Secrecy Act of 1970, the United States Supreme Court has ruled effectively that we do not have an expectation of privacy on the records someone else has on us.
Then-President Richard Nixon gave us the BSA as part of the War on Drugs, but the law has been spectacularly ineffective in getting illegal drugs off our streets, but it has been effective in eviscerating the privacy expectations of ordinary, law-abiding citizens. It has ushered in the current climate of identity theft, fear of online transactions and distrust of financial institutions’ use of our personal information. By removing our previous privacy expectations, the BSA has enabled a growing epidemic of identity fraud and lowered public confidence in our financial institutions.
The privacy provision of the financial modernization law, Title V of the Gramm-Leach-Bliley Act of 2000, established a floor and invites states to raise it. Now that North Dakota has spoken, California may take up the gauntlet with the help of a deep-pocketed funder. Should we address the problem differently, we need to do so now.
The current framework of the opt-in/opt-out choice gives us two inferior possibilities. Until we restore our common law tradition of privacy expectations strangled by the BSA, a better approach to the status quo would be to initiate a new framework such as a “home state” regulation approach.
Under a home state privacy regulation regime, each financial institution in the country would have to claim one state where it is headquartered as its domicile. The company would then follow only one set of rules and could operate throughout the country. Such an approach is very workable for businesses.
What would consumers have to gain? The answer is everything: real choices for real privacy and an easier way of determining the company that best fits one’s preferences. Decide what level of comfort you have with an institution sharing—or selling—your personal financial information and pick the best company following the rules of the state that best matches your preferences.
Such competition would get us closer to the consent-based approach of data-use that really underlies the current debate. George Mason University Law Professors Bruce Kobayashi and Larry Ribstein have made a similar case for the state regulation of computer cookies. Yale Law School professor Roberta Romano argued similarly for securities’ regulation. Current headlines belie the benefits of the Security and Exchange Commission’s monopoly regulation.
One or more states could adopt rules that meet the European Union’s safe harbor data-use requirements which would greatly facilitate international commerce—and the U.S. position in it. Home state privacy regulation would even encourage large financial institutions to establish affiliates in various states that could compete with one another for customers by appealing to their privacy preferences. Both business and consumers would be better off under home state privacy regulation rather than having inside the Beltway bureaucrats dictate regulations that work against them.